I open again a thread about a problem at our extension installation on several computers.

Few persons can't install our extensions. They get this message: " The extension xxx does not contain valid signature. The extension will not be installed"

Our plugins worked always since the beginning ( about December 2010 )

Our certificate is valid and has been created by TrustCenter.

I use ucf.jar with correct parameters...

I thought that's a manifest problem. So, I tried to generate plugins from Extension Builder trial version which generates manifest "automatically" but the result is the same. I also tried to get a release from a non-signed certificate ( 1024-RSA and 2048-RSA )....but unsuccessfull...

If so, scroll down to post 5 (one of my replies) on that thread and you'll see an explanation for the behaviour. Sadly it is a bug in Extension Builder and ucf.jar documentation.

Assuming this is the problem you're having, I think your solution would be to obtain a valid certificate, and resign your extension using the Packaging and Signing Toolkit, specifying the tsa argument. I'm sorry for the trouble this has caused. We have a bug open against Extension Builder (#2923679), it will be fixed in the next release.

David, we are having the same problem: an extension signed with a valid certificate and with timestamp, using ucf.jar, valid manifest, installs without problems on some machines, but gives "The extension does not contain valid signature." error on some customers' machines (the reported one is Mac OS 10.7.1, with CS5.5).

I checked the "signatures.xml", it does contain a "TimeStamps" section.

Anatoly, I will try to reproduce this behaviour but it will take me some time to get set up. In the meantime can you help to isolate the issue by bypassing Extension Manager and installing the ZXP directly.

- Ensure the CSXS PlayerDebugMode flag is *not* set to 1 (the default should be 0 or non-existent) in /Users/<username>/Library/Preferences/com.adobe.CSXS.2.5.plist. This means that only signed extensions should get loaded.

I have tried to reproduce the installation issue with your extension on OSX 10.6.8, 10.7 and 10.7.1 but in each case I can install the extension okay. When I run it, I get a missing/broken swf icon (see below), but I don't think that is symptomatic of a signature problem.

I have asked the Extension Manager team if there are any known issues in this area which might explain the behaviour you are seeing.

If you can provide answers to the above or any other information which might help isolate the issue please do.

Sorry for the delay with response - I was swamped with other activities.

You are correct, the extension doesn't work even if it succeeds to install, however the problem is that on some Mac machines it fails to install.

I'm glad that the Extension Manager team have managed to reproduce it. All I can say that the problem does not happen on all Macs - I couldn't reproduce it on my Mac OS 10.7.1, but a customer with the same version of Mac OS said that they got the "incorrect signature" error.

Do you think that the fix will be in the extension, or the users will need to update Extension Manager?

We're currently having the same problem. I'm adding what I know to this thread with hope that it will help you troubleshoot the problem.

An extension with a valid timestamped signature is rejected by the Adobe Extension Manager on installation (root CA is VeriSign; the certificate has not expired; extension packaged and signed with ucf.jar with a tsa URL). This is happening on computers running Mac OS X Lion 10.7.2 with CS5 and CS5.5. The same extensions that we have a problem installing now used to work on OS X Lion with both CS 5 and CS 5.5 a while ago, but since upgrading to the latest software from Adobe and Apple we get the an error message saying "The extension XXX does not contain valid signature. The extension will not be installed". However, the same extension that's rejected on the Mac can be installed and works without any issue on computer running Windows 7.

I am not quite sure what exactly I need to pay attention to regarding canonicalization limitations - I have no idea how the ucf tool works, and even if I did, I have no control over the verification process, so I am not sure why you are referring me to that document. Can you please elaborate?

I don't know how ucf.jar works either. Sorry for the confusion caused by me. It should be taken care by ucf.jar or any signing tools. Could you please send the new signed extension to me so that I can test it? I can reproduce this problem with the old extension you gave in previous post. You can get my mail address from the private message.

this issue should also exist in CS5 although I didn't check it with CS5. If your extension is a CSXS extension (no *.mxi file in package), you can use the workaround provided by David in third reply to install the extension manually. Note that you have to change the folder name "com.pixelnovel.timeline" in that post to the ExtensionBundleId of your extension (in manifest.mxl).

First let me provide a quick update on the signature bug. As pointed out, the ucf.jar solution does not seem to work. We have identified a couple of other solutions to this problem, but we need to test them internally before posting them on the forums or release them as a patch to Extension Manager and/or Extension Builder (if needed). I do not have a date yet on when this fix will be available but I can guarantee you that it is a top priority internally. I am sorry that this issue has surfaced and the entire team recognizes that it is an important issue for the developer community and has significant impact on you and your customers. I (or another member from my team) will provide an update to this thread with an ETA and or the fix.

Regarding the signature issue: I suggest we discuss this on a separate thread (and possibly in the dev con in Munich for those of you who will attend). I do not see us moving away from signatures. Granted there are problems in the workflow. Hence, we should work on addressing those and simplifying the signing and deployment process. There are benefits to having extensions signed and deleting a feature is not usually the best way to solve a problem.

Yesterday we finalized our investigation and we now have a plan regarding the fix. Our #1 priority has been to get a working solution to customers ASAP. Here are the details:

Problem

The current implementation of Extension Manager cannot access the system root keychain on Mac 10.7.1. That is due to a particular component used by Extension Manager.

Solution

Stage 1:

We will make a manual fix available by Friday 10/28 morning Pacific time. The fix will be a .swf that end-users should download and manually replace the Extension Manager .swf on their machines. After they replace the .swf, they can go ahead and install extensions using Extension Manager. This will only apply to users who are on Mac 10.7+. In addition, your users should be running Extension Manager CS5 or CS5.5 and should download the latest update through Adobe Update Manager if they haven't done so already.

I understand that this is not optimal user experience but it is the fastest solution that we can make available.

We will post the .swf and detailed instructions on this forum thread.

Stage 2:

We are already working on an update to Extension Manager that will be available through Adobe Update Manager in mid November. The update will work even if some of your users have replaced the Extension Manager .swf on Stage 1 above (ie it will overwrite the fix from Stage 1). Only users that face this problem will be notified to download the update.

Note 1: Doing the manual fix is not necessary. You could still wait until the AUM update is available.

Note 2: The fix we do in Stage 1 is different than the one we'll do for Stage 2.

Note 3: No update is necessary for CS Extension Builder or the CS SDK.

Please let me know if you have any questions or concerns.

Thank you again for helping us in discovering and solving this issue and your understanding as we drive to a solution. I will keep you all posted as news develops.

Thanks also for the quick reply @Gabriel. Although I was able to track this down on the forum fairly quickly, but it would be good to have something on the blog for end users (I'm sure you are already planning). I feel for TypeDNA extension, they just did a big marketing push, and it was installing their extension that gave me the heads up.

As promised the fix for solving the signature bug in Lion is available. Below I am including two zip (one for eachg version of Extension Manager) files that contain the fix and instruction on how to apply it:

THANKS Gabriel! Very fast response and shows again how great the work of your group is. I wish all of Adobe were as responsive.

Our CS Extension for Fotolia (free at http://www.fotolia.com/adobeplugin ) had just been released, and we were about to promote it, yet are holding off until "around November 15th." Please let us know when the AUM update comes out, or if that date solidifies or changes.

We did validate that the fix works, which is quite awesome, so someone who really wants to use our extension can, yet some end users want things to be extremely easy, so I think waiting is prudent.

Please test future dot releases of Apple OS (these come out in beta, yes?) if possible - I don't believe Apple tests these against Adobe products, and I realize you don't have infinite testing budget, but this was quite a scare as we really count on CS Extension technology, which I believe will really take off in the next few years.

We have another bug with Lion and CS extensions that forced us to avoid the native file browser. Not sure if Ole sent you details yet, but we will.